Headline
CVE-2023-5746: Synology_SA_23_11 | Synology Inc.
A vulnerability regarding use of externally-controlled format string is found in the cgi component. This allows remote attackers to execute arbitrary code via unspecified vectors. The following models with Synology Camera Firmware versions before 1.0.5-0185 may be affected: BC500 and TC500.
Abstract
A vulnerability allows remote attackers to execute arbitrary code via a susceptible version of Synology Camera BC500 Firmware and Synology Camera TC500 Firmware.
Affected Products
Product
Severity
Fixed Release Availability
BC500
Critical
Upgrade to 1.0.5-0185 or above.
TC500
Critical
Upgrade to 1.0.5-0185 or above.
Mitigation
Setting up firewall rules to allow only trusted clients to connect can be used as a temporary mitigation.
Detail
- CVE-2023-5746
- Severity: Critical
- CVSS3 Base Score: 9.8
- CVSS3 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
- A vulnerability regarding use of externally-controlled format string is found in the cgi component. This allows remote attackers to execute arbitrary code via unspecified vectors. The following models with Synology Camera Firmware versions before 1.0.5-0185 may be affected: BC500 and TC500.
Acknowledgement
chumen77(GAO JUYANG) from WeBin Lab of DbappSecurity Co.,Ltd.
Revision
Revision
Date
Description
1
2023-08-17
Initial public release.
2
2023-10-24
Disclosed vulnerability details.